Outdated Encryption Algorithm Fatal for Data Protection?

Imagine you are the owner of a luxurious hotel that collects an extensive amount of guest information day in day out. Such information can range from the name and home address to sensitive credit card information. Where will all these important data be stored at? The answer is in the hotel’s database. However, are the information stored safely from harmful infiltration? It’s sad to point out that we live in a cyber world where cyber-leak can happen anywhere, and every day. Even Rail Europe recently has revealed a three-month data breach of credit cards and debit cards. There is no doubt that there has been a rise in awareness in terms of protecting clientele information.

Despite the increase in the use of open source database, some still lack the security solutions commercial databases have. Take for example the most popular open source database — MySQL, uses several algorithms in order to encrypt and protect user data stored in the database as MySQL recognizes the exploits in MD5 and SHA-1 algorithms and recommends the use of other algorithms available. According to the United States Computer Emergency Readiness Team (US-CERT), MD5 is no longer an appropriate means of encryption and recommends companies to avoid using it. There are two main types of algorithms, encryption, and hashing.

Encryption and Hashing

Encryption is a process with an inverse. In other words, If I encrypt some text, there is a process which is able to convert the new text back to the original, called decryption. Though often used in encryption algorithms, hashing is fundamentally a different form of encryption. What a hash is meant to do is to generate a fixed size value of a string of text that is unique to that given input text. Often a one-way operation, there is no need to “reverse engineer” the hash function by analyzing the hashed values. Furthermore, any slight changes in the input text can produce an entirely different hash value.

Of MySQL’s algorithms used for encryption, the MD5 algorithm and SHA-1 uses a hashing algorithm. However, these two algorithms have already been “cracked”. This means that data that is encrypted using these algorithms are easily breached. Hackers with the technology have developed methods in order to break these algorithms and access the data.

Brute Force Attacks and Rainbow Tables

Brute-force attacks are a trial-and-error method used to crack algorithms. Say an attacker has an encrypted file, and they know that this file contains sensitive data for grab. To unlock it, hackers try every single possible password combination. The brute-force attack would likely start at one-digit passwords before moving to two-digit passwords and so on so forth, matching all possible combinations until the file is decrypted by force. Think maybe having an extremely long and complex can prevent this? Truth is, brute-force software is created for such reasons, simply brute-cracking.

Moreover, because people rarely use complete random characters as passwords, there is a trick that applies when it comes to guessing them. An attacker can run a collection of millions or so commonly used passwords through a hashing algorithm and obtain a list — rainbow table — of associated message digests for these passwords. A rainbow table is a listing of all possible plaintext permutations of encrypted passwords specific to a given hash algorithm. It is child’s play for any computer to run and compare a file of stolen password hashes against a rainbow table. For every match, the table will display the possible passwords for that hash.

Unfortunately, a rainbow table for MD5 and SHA-1 algorithm already exists. Meaning, the safety of any data that is protected by an outdated algorithm is compromised. Brute-force attacks are something to be concerned about when protecting data, choosing encryption algorithms, or even selecting passwords. While developers of open source databases work towards creating a safe environment for users, the harsh reality is that it just doesn’t quite make the cut. Encryption has to keep up with how fast it’s being rendered ineffective by new technology.

Modern Encryption

Present-day encryption consists of complex algorithms. However, the default algorithms within open source databases are mostly primitives, like those that have been proven to be unsafe. Finding an open source database equipped with high-level security is few and far beyond. This is why most users have opted to implement third-party encryption solutions for proper client information protection. If your business holds sensitive information of clients or guests, it is your duty to ensure that the data remains safe and secure. If you are storing sensitive information on open source databases, be proactive and verify the encryption algorithm. Simple actions may just save your business from facing a catastrophic data breach.